Index 289
Scientific Working Group on Digital
Evidence (SWGDE), 3
scp (secure copy) tool, 224
screen terminal multiplexer, 75–76
script command, 75
scripting, with command line, xxi
scriptreplay command, 75
SCSI-ATA Translation (SAT), 39
SCSI interface, 34f
command sets for, 36–37, 37t, 39
documenting device identification
details, 108
identifying subject drive, 105
overview, 33–34
querying drives, 112
tape drives, querying, 134
SD (Secure Digital) standard, 18
sdparm command, 112
sector offsets
converting into byte offset, 247–248,
249, 252, 265
filesystem identification, 263–264
manual extraction using, 272–274
sectors. See also hidden sectors, enabling
access to; 4Kn disks
hard disks, 12, 40
replicating with HPA, 219–220
user-accessible, wiping, 225–226
secure copy (scp) tool, 224
secure_deletion toolkit, 224
Secure Digital (SD) standard, 18
Secure/Multipurpose Internet Mail
Extensions (S/MIME), 155,
156–157, 201
secure network data transfer, 223–224
secure remote imaging, 168–169
secure wiping and data disposal, 224–228
security erase command, ATA, 226–227
security features, subject disk
ATA password-protected disks,
126–128
encrypted flash thumb drives, 131
overview, 125
self-encrypting drives, 128–131
security levels, ATA password-protected
disks, 127
security of forensic image, 211–218
SEDs (self-encrypting drives), 128–131,
218, 228
sedutil-cli command, 129–130, 218, 228
seeking, within compressed files, 188, 204
self-encrypting drives (SEDs), 128–131,
218, 228
Self-Monitoring, Analysis and Reporting
Technology (SMART)
extracting data with
smartctl, 112–118
managing drive failure and errors,
163–164
NVME drives, 139
self-tests, SMART data on, 115–116
serial access to disks, 122–125
Serial ATA (SATA) interface, 16, 22–25,
23f, 24f, 25f, 94f
Serial Attached SCSI (SAS) interface,
25–26, 25f, 26f, 37
serial bus controller class, 104
serial point-to-point connections, 22
server mode, rdd tool, 166, 167, 168
service areas, 40, 122–125
sessions, CD, 20
sfsimage tool
acquiring image with, 149–150
converting AFF file to compressed
SquashFS, 210
converting FTK files to SquashFS,
208–209
converting raw image to SquashFS,
203–204
dcfldd and dc3dd tools, 145
image access tasks, 235
overview, 63
remote forensic acquisition, 169–171
removable media, acquiring
image of, 174
SquashFS compression, 191
SquashFS evidence containers, 64–67
sg3_utils software package, 36–37
shadow MBR on Opal SEDs, 129–130, 131
shared buses, 22
shell alias, 72–73
shell history, 73–75
shells. See Bash; command line
shredding files, 224–225
SID (Source Unique Identifier), CDs, 21
sigfind tool, 266
signatures, confirming validity of,
200–202
signing forensic images, 154–157
size
disk image, 83–84
reported file and image, 86–87
skip parameter, for partition extraction
with dd, 266